Apache .conf files "Require all" utility?

Question

I am working with Apache .conf files on Fedora 30.

In /etc/httpd/conf/httpd.conf, there is :

<Directory />
    AllowOverride none
    Require all denied
</Directory>

There is also :

DocumentRoot "/var/www/html" 

That means that "localhost" starts from this "/var/www/html" repertory.

Question 1 : What is the use of "Require all denied" for Directory "/" whereas DocumentRoot is at a lower level (so the server will not serve any files in higher level repertories) ?

At the end of httpd.conf, there is :

IncludeOptional conf.d/*.conf

So I create a personal.conf in "/etc/httpd/conf.d" ; inside I set :

<Directory "/var/www">
    AllowOverride None
    Require all denied
</Directory>

I restart Apache (systemctl restart httpd.service) but the localhost/index.html (aka "DocumentRoot"/index.html or "/var/www/html"/index.html) is still available.

It acts as if this Directive in httpd.conf was prioritary :

<Directory "/var/www/html">
    Require all granted
</Directory>

Question 2 : So what is the use of "Require all denied" on a higher level repository ?

Thank you for your help :)

Answer 1

Question 1 : What is the use of "Require all denied" for Directory "/" whereas DocumentRoot is at a lower level (so the server will not serve any files in higher level repertories) ?

Question 2 : So what is the use of "Require all denied" on a higher level repository ?

The server could easily serve files below the document root if the Require all denied wasn't there, you only need a small misconfiguration in your server. Imagine for example an Alias like

Alias /etc /etc

which would allow you to read the password file from http://localhost/etc/passwd or other sensitive stuff. With the default configuration you would need an explicit override like

<Directory /etc>
   Require all granted
</Directory>

to do this.

The directive

<Directory />
    AllowOverride none
    Require all denied
</Directory>

is used to prevent any access below your /var/www/html directory as a security mechanism ("be as restrictive as possible").

Answer 2

thank you for your answer.

Now for question 2 ; let's imagine a house : outdoor [door 1] hall [door 2] corridor [door 3] living-room.

In /etc/httpd/conf/httpd.conf, I close the front door [door 1] of the house

<Directory />
    AllowOverride none
    Require all denied
</Directory>

I open the door between the hall and the corridor [door 2]

<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

I open the door between the corridor and the living-room [door 3]

<Directory "/var/www/html">
    AllowOverride None
    Require all granted
</Directory>

Then in a personal.conf file in "/etc/httpd/conf.d" I close the door between the hall and the corridor [door 2] :

<Directory "/var/www">
    AllowOverride None
    Require all denied
</Directory>

Why is the living-room still accessible (localhost/index.html or /var/www/html/index.html is accessible) whereas the [door 2] is closed ?

I need to be explicit :

<Directory "/var/www/html">
    AllowOverride None
    Require all denied
</Directory>

in personal.conf

To get the "Forbidden You don't have permission to access this resource." message...

Thanks again.